The packet filter configuration is stored in the /etc/iptables.conf file. Although it is technically possible to edit this file manually, it is not recommended to do so as the first two comment lines of the file warn as well even if manual configuration is chosen over ZMC-based graphical work.

#
# This file is generated automatically from iptables.conf.in and iptables.conf.var.
# Do not edit directly, regenerate it using iptables-gen.

To make packet filter configuration more error-resistant and easier, a frontend utility pack, the iptables-utils has been created where a couple of scripts help the creation and maintenance of packet filter rulesets. For more details on the iptables-utils, see chapter Packet Filtering.

After installing the firewall a default ruleset is active. Since Zorp acts as a default-deny firewall, the ruleset allows only connections from the ZMS host machine specified during installation to the firewall and the outgoing connections originating from the firewall itself. Besides the iptables.conf file which stores the currently active ruleset, the iptables.conf.in file is also present in the system (/etc/iptables.conf.in). For checking the differences between the two files in details, see Appendix A, Packet Filtering. The /etc/iptables.conf.var file is also stored containing a single statement.

#define ZMSHOST <ip_address>

This entry allows you to refer to the ZMS host machine by the name ZMSHOST rather than by its IP address when editing the iptables.conf.in file. These tools and the intermediate configuration files greatly help the administration of packet filter rulesets. However, an in-depth knowledge of iptables is still needed for the successful management of the packet filter.

For more information, see Appendix A, Packet Filtering on Zorp-specific configuration of IPTables, the installed manual pages of iptables (userland utility), and the documentation of Netfilter/IPTables project including a detailed tutorial and HOWTO documents accessible from Appendix C, Further readings.